Skip to content
Permalink
Browse files
Preparing to make audience checking for system tokens more conditional.
  • Loading branch information
mifosio-04-04-2018 committed May 26, 2017
1 parent be78b4b commit 4c06f63cda8b2a513ce68f0f930a20e74931eef7
Showing 8 changed files with 65 additions and 16 deletions.
@@ -21,6 +21,9 @@
import java.util.HashSet;
import java.util.Set;

/**
* @author Myrle Krantz
*/
@SuppressWarnings({"WeakerAccess", "unused"})
public enum AllowedOperation {
@SerializedName("READ")
@@ -0,0 +1,38 @@
/*
* Copyright 2017 The Mifos Initiative.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package io.mifos.anubis.api.v1.domain;

/**
* @author Myrle Krantz
*/
@SuppressWarnings("unused")
public class AnubisPrincipal {
private final String user;
private final String forApplicationName;

public AnubisPrincipal(String user, String forApplicationName) {
this.user = user;
this.forApplicationName = forApplicationName;
}

public String getUser() {
return user;
}

public String getForApplicationName() {
return forApplicationName;
}
}
@@ -38,11 +38,11 @@ protected void doFilterInternal(

final Authentication authentication = SecurityContextHolder.getContext().getAuthentication();

Object principal = authentication.getPrincipal();
Object credentials = authentication.getCredentials();
final String principalName = authentication.getName();
final Object credentials = authentication.getCredentials();

if (principal != null && credentials != null) {
UserContextHolder.setAccessToken(principal.toString(), credentials.toString());
if (principalName != null && credentials != null) {
UserContextHolder.setAccessToken(principalName, credentials.toString());
}

filterChain.doFilter(request, response);
@@ -15,6 +15,7 @@
*/
package io.mifos.anubis.security;

import io.mifos.anubis.api.v1.domain.AnubisPrincipal;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;

@@ -32,14 +33,16 @@ class AnubisAuthentication implements Authentication {

private final String token;
private final String userIdentifier;
private final String callingApplicationIdentifier;
private final Set<ApplicationPermission> applicationPermissions;

AnubisAuthentication(final String token, final String userIdentifier,
AnubisAuthentication(final String token, final String userIdentifier, final String callingApplicationIdentifier,
final Set<ApplicationPermission> applicationPermissions) {
authenticated = true;

this.token = token;
this.userIdentifier = userIdentifier;
this.callingApplicationIdentifier = callingApplicationIdentifier;
this.applicationPermissions = Collections.unmodifiableSet(new HashSet<>(applicationPermissions));
}

@@ -59,8 +62,8 @@ public String getDetails() {
}

@Override
public String getPrincipal() {
return userIdentifier;
public AnubisPrincipal getPrincipal() {
return new AnubisPrincipal(userIdentifier, callingApplicationIdentifier);
}

@Override
@@ -48,6 +48,6 @@ AnubisAuthentication authenticate(final String user) {

logger.info("Guest access \"authenticated\" successfully.", user);

return new AnubisAuthentication(null, RoleConstants.GUEST_USER_IDENTIFIER, permissions);
return new AnubisAuthentication(null, RoleConstants.GUEST_USER_IDENTIFIER, null, permissions);
}
}
@@ -15,9 +15,7 @@
*/
package io.mifos.anubis.security;

import io.jsonwebtoken.JwtException;
import io.jsonwebtoken.JwtParser;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.*;
import io.mifos.anubis.annotation.AcceptedTokenType;
import io.mifos.anubis.api.v1.TokenConstants;
import io.mifos.anubis.provider.InvalidKeyTimestampException;
@@ -69,16 +67,23 @@ public AnubisAuthentication authenticate(
try {
final JwtParser jwtParser = Jwts.parser()
.setSigningKey(systemRsaKeyProvider.getPublicKey(keyTimestamp))
.requireAudience(applicationName.toString())
.requireIssuer(TokenType.SYSTEM.getIssuer())
.require(TokenConstants.JWT_SIGNATURE_TIMESTAMP_CLAIM, keyTimestamp);

TenantContextHolder.identifier().ifPresent(jwtParser::requireSubject);

jwtParser.parse(token);
//noinspection unchecked
final Jwt<Header, Claims> result = jwtParser.parse(token);
if (result.getBody() == null ||
result.getBody().getAudience() == null ||
!result.getBody().getAudience().equals(applicationName.toString())) {
logger.info("System token for user {}, with key timestamp {} failed to authenticate. Audience was set wrong or was not set.", user, keyTimestamp);
throw AmitAuthenticationException.invalidToken();
}

logger.info("System token for user {}, with key timestamp {} authenticated successfully.", user, keyTimestamp);

return new AnubisAuthentication(TokenConstants.PREFIX + token, user, permissions);
return new AnubisAuthentication(TokenConstants.PREFIX + token, user, result.getBody().getAudience(), permissions);
}
catch (final JwtException e) {
logger.debug("token = {}", token);
@@ -88,7 +88,7 @@ AnubisAuthentication authenticate(
logger.info("Tenant token for user {}, with key timestamp {} authenticated successfully.", user, keyTimestamp);

return new AnubisAuthentication(TokenConstants.PREFIX + token,
jwt.getBody().getSubject(), permissions
jwt.getBody().getSubject(), null, permissions
);
}
catch (final JwtException e) {
@@ -58,7 +58,7 @@ public UrlPermissionChecker(final Logger logger) {
final Collection<? extends GrantedAuthority> authorities = authentication.getAuthorities();
final Optional<ApplicationPermission> matchedPermission = authorities.stream()
.map(x -> (ApplicationPermission) x)
.filter(x -> x.matches(filterInvocation, authentication.getPrincipal()))
.filter(x -> x.matches(filterInvocation, authentication.getName()))
.findAny();

matchedPermission.ifPresent(x -> logger.debug("Authorizing access to {} based on permission: {}"

0 comments on commit 4c06f63

Please sign in to comment.